The following is the first few sections of a chapter from Android's Architecture Components, plus headings for the remaining major sections, to give you an idea about the content of the chapter.
Room, by default, works with the device’s stock copy of SQLite. This is fine, as far as it goes. However, from a security standpoint, SQLite stores its data unencrypted. Many apps should be considering encrypting their data “at rest”, when it is stored in a database, to protect their users.
Fortunately, as noted in an earlier chapter, Room supports a pluggable SQLite implementation, and so we can plug in a SQLite edition that supports encryption, such as SQLCipher for Android. This chapter will outline how to do this.
There are two pieces to the encrypted-database puzzle: a SQLite implementation with encryption capability, and the “glue code” that allows Room to work with that SQLite implementation.
Since SQLite is public domain, it is easy for people to grab the source code and hack on it. SQLite also offers an extension system, making it relatively easy for developers to add functionality with a minimal number of changes to SQLite’s core code. As a result, a few encryption options for SQLite have been published.
One of these is SQLCipher, whose development is overseen by Zetitec. This offers transparent AES-256 encryption of everything in the database: data, schema, etc.
With the help of the Guardian Project, Zetitec released
SQLCipher for Android.
This combines a pre-compiled version of SQLite with Java classes that mimic
an old edition of Android’s native SQLite classes (e.g., SQLiteOpenHelper).
SQLCipher for Android is open source, and if you can live with the increase
in app size due to the native binaries, it is an effective solution.
However, it knows nothing about Room.
To fill that gap, the author of this book has released
CWAC-SafeRoom. This is an
implementation of Room’s pluggable database API to bridge between
Room and SQLCipher for Android. Using SQLCipher for Android then becomes mostly
a matter of a single method call on the RoomDatabase.Builder to use the
CWAC-SafeRoom code — everything else works as normal.
That being said, at the time of this writing, the latest releases of Room and
the support databse API are both
1.1.0, and CWAC-SafeRoom is 0.4.0. These are early days for both
libraries, and so changes may occur either at the Room or the CWAC-SafeRoom level.
The preview of this section was the victim of a MITM ('Martian in the middle') attack.
The preview of this section is sleeping in.